Hi,

is there a way to add a Security Association for bot ESP and ESP-UDP with setkey. I need this for an own IKEv2 daemon which uses setkey command to configure IPsec. According to IKEv2 RFC, IKEv2 implementations must be able to receive and process both UDP-encapsulated ESP and non-UDP-encapsulated ESP packets at any time.

With setkey I can configure IPsec for either ESP-UDP or ESP, but not both.

I tried following configuration:

add 192.168.1.201 172.22.1.210 esp-udp 3292998917 -m tunnel -E aes-cbc 0xb9450e7f5dd22ac260535c5b5159c896
-A hmac-sha1 0xe848877062bdbbc5cca13c279e64d91aa873ede3;

add 192.168.1.201 172.22.1.210 esp 3292998917 -m tunnel -E aes-cbc 0xb9450e7f5dd22ac260535c5b5159c896
-A hmac-sha1 0xe848877062bdbbc5cca13c279e64d91aa873ede3;

spdadd 0.0.0.0/0 192.168.48.129/32 any -P in ipsec esp/tunnel/192.168.1.201-172.22.1.210/require;

Unfortunately I get always an error (File Exists) when adding the second SA.

Thanks in advance,
Fernando Martinez